X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The Internet has become a significant part of how corporate America communicates. It enables us to send written communications and to access information in minutes. The Internet has streamlined time-consuming business tasks and cut down communication and information-gathering costs. Not only has it become a valuable business tool, but it has also become a significant source of fun and entertainment for employees. The Internet has brought to the desktop: shopping, access to news and weather reports, and many other nonwork-related Web site activities. While the “Net” has provided many benefits to corporate America, it has also fostered a number of undesirable Internet-based activities. It makes available from the employee desktop activities like gambling and access to Web sites that contain pornography and other unacceptable content. As a result, Internet access has shifted from strictly an information technology issue to a human resources issue as well. Because of this, the Internet is beginning to create problems for employers in the areas of reduced productivity, sexual harassment, and “hostile workplace” claims. In addition, the Internet has also given birth to a number of malicious Internet-based activities by third parties designed to wreak havoc, damage corporate networks, bombard end users with unsolicited advertisements, and steal information and money. A law firm’s or corporation’s network is the core of its business operation and keeping the network secure from these problems is a number one priority. The damage to computer resources can come from: adware; malicious mobile code (computer viruses, worms and trojan horses); phishing; spyware; and zero-day exploits. In order to protect your network from these threats, it is important to understand exactly what each threat means, its purpose, and how it is transmitted to your system. UNDERSTANDING THE THREATS Adware. Unlike spyware, which is acquired without user knowledge or approval, adware is installed with permission, usually after the user agrees to the terms of the End User License Agreement. These more benign programs, including those that install custom search capabilities in Internet browsers or e-mail Smilies, also collect information about users or user habits. The information is typically used to tailor future pop-up advertisements to users’ preferences for marketing purposes. These programs cause performance problems and use extensive computing resources (processing power, drive space, and bandwidth). They can also cause software conflicts with legitimate programs and affect employee productivity. Malicious mobile code. “Malicious mobile code” is a new term to describe all sorts of destructive programs: viruses, worms, trojans, and rogue Internet content. Malicious mobile code is more prevalent today than ever before. The purpose of most viruses, worms, and trojans is to cause damage to your network, resulting in data loss and compromising the ability for the computer and/or network to which it is connected to operate. Phishing. Phishing attacks use “spoofed” e-mails and fraudulent Web sites designed to fool recipients into divulging personal financial data such as credit card numbers, account user names, passwords, and Social Security numbers. By hijacking the trusted brands of well-known banks, online retailers, and credit card companies, phishers are able to convince recipients to respond to them. They request confirmation of pin numbers, access codes, and other confidential information and then use it to access the victim’s account. In a recently reported phishing incident, when users visited certain infected Web sites, their browsers were redirected to a Russian Web site, which secretly downloaded a keystroke logger on their PC. When the program detected that users visited certain target sites, primarily bank sites, the program started logging keystrokes. Sensitive information such as user names, passwords, and account numbers were then posted directly to the hacker’s host computer in Russia. Spyware. Spyware is software installed on a computer, usually without the user’s knowledge, along with adware and other similar software. It gathers information and sends it back to the initiating advertiser or other interested parties. Spyware can collect and transmit information such as keystrokes, Web surfing habits, passwords, e-mail addresses, credit card numbers, and other sensitive information. Spyware also misuses system resources and bandwidth as it tracks and transmits information. More seriously, spyware can also pose security, confidentiality, and compliance problems. It is often acquired surreptitiously when users download a “real” application or file, visit certain Web sites, or click on a deceptive pop-up window. “Zero-day” exploit. A “zero-day” exploit is the exploitation of any software’s vulnerability that is done immediately after its discovery. This is a rapid attack that takes place before the vendor of the exploited software knows about the vulnerability or has been able to repair it. Security flaws in Microsoft products are a favorite target of zero-day exploits. HOW ARE THEY INSTALLED? In addition to introducing malevolent programs into your computer network by opening infected e-mail attachments, introduction can also occur when employees engage in Internet activities within the following categories: browsing Web sites that contain malicious mobile code; P2P (peer-to-peer) file sharing (i.e., music-sharing Web sites and instant messaging), and accessing Web-based e-mail (i.e., Hotmail, MSN, AOL Mail). Spyware and adware. Spyware and adware can be acquired when users unknowingly give their permission while downloading or installing applications or by simply visiting certain Web sites. They can also be spread when users click on a deceptive pop-up ad and during a peer-to-peer (P2P) file transfer or software download. Some spyware is secretly downloaded when a user launches a program acquired from a Web site. For example, a pop-up may notify the user that a special plug-in is required to run a video or movie file. In this case, what appears to be a legitimate plug-in could actually be spyware. Your users may not even know that your computers or network have been infected until they find ads popping up all over their desktops. Or, one day they may notice that their computers are working slower than usual, which happens when spyware programs are uploading information to a remote server or are downloading new ads. Clicking on deceptive pop-up ads. Some pop-up screens don’t actually deliver advertisements but attempt to install unwanted software on your system and change your system configurations. These pop-ups can be very clever. Instead of “To install this program, click Yes,” the prompt unexpectedly reads, “To install this program, click No.” After clicking on these pop-ups, the user may find that the computer now displays new bookmarks and a different home page as well as having unwanted software installed. P2P transfers or other software downloads. Some spyware hides out on P2P networks, such as music-sharing networks, and then spreads by infecting machines as users search for music selections. Once installed, adware and spyware can be nearly impossible to get rid of. PROTECTIONS The danger of allowing employees unbridled access to the Internet goes beyond the ominous exposure to viruses and worms. Firms face significant liability risks when employees access and distribute illegal or inappropriate content via a firm’s computer network. Firms may be held liable for the distribution and possession of such material and are also open to hostile workplace or sexual harassment lawsuits. In addition, law firms are required to protect against unauthorized access to confidential client information. Here are some security measures. Firewalls. A firewall, which is designed to prevent unauthorized access to or from a private network, is one of the most fundamental security tools for any firm. Although a firewall can effectively enforce a network security policy, a firewall cannot protect against spyware. Anti-virus software. Anti-virus software is a vital component of a firm’s total security strategy, but it cannot protect against spyware. Spyware and adware removal programs. Spyware removal tools are generally targeted to individual consumers, not to organizations. Scanning an individual PC for spyware can take 10 to 20 minutes or more. These tools operate on the premise of removing the spyware application after infection rather than prevention. The component most often missing in a network protection plan is an Employee Internet Management system, capable of controlling Web access and providing management with reports on various areas of Internet access by the firm’s users. An EIM program is a software product for controlling employee access to undesirable Web sites and reporting on how employees use their computing resources, particularly Internet access and network bandwidth. The EIM product that has been implemented on our firm’s network is Websense. It protects our network from unwanted downloading of malicious code, viruses, spyware, and adware. It also enables you to provide and implement Internet use policies, including blocking unauthorized sites, setting quota time for personal surfing, and allowing managed access. To help monitor Internet abuse within your firm, it produces a number of reports detailing employee Web surfing statistics, showing sites visited and surf times. An Employee Internet Monitoring program must also be accompanied by a Computer and Internet Use Policy in order to fully protect the firm. It should be included as part of an employee handbook. These types of policies outline in very clear terms what kind of Internet usage is permitted, what kind is not, and the consequences for violating the rules. That policy should address: • What type of Web content access is never acceptable at work? • What content is allowed if an employee surfs during nonbusiness hours? • Are there employees that should be exempt from the above? • Is there anyone who should never access the Internet from work? • What types of Internet use reporting will be implemented? • What procedure should be followed if an employee is suspected of Internet misuse? • What disciplinary actions will employees be subject to for violation of the firm’s policy? A strong measure to take against network infection is to keep malicious programs such as spyware from gaining access to your systems in the first place. This, as well as preventing employee Internet abuse, can be accomplished by adding EIM software and an Employee Computer and Internet Use Policy to your network security plan. Roger C. Schechter is the director of technology and of counsel for Grotta, Glassman & Hoffman of Roseland, N.J., which specializes in labor and employment matters on behalf of management. This article first appeared in the ALM newpaper New Jersey Law Journal .

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.